CVE-2010-3864 — Race Condition in Openssl

CWE-362 — Race Condition CWE-662 — Improper Synchronization CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents9 sources

Severity

7.6HIGHNVD

EPSS

7.4%

top 8.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Vmware Esxi +4 more

Timeline

PublishedNov 17

Latest updateMay 14

Description

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 4.9 | Impact: 10.0

Affected Packages8 packages

▶vmwarevmware/vmware_vcenter_server

▶debiandebian/openssl< openssl 0.9.8o-3 (bookworm)

▶Debianopenssl/openssl< 0.9.8o-3+3

▶NVDopenssl/openssl12 versions+11

▶vmwarevmware/esxi

Patches

Patch: openssl.org ↗Patch: securitytracker.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-rvq6-rpm5-73fg: Multiple race conditions in ssl/t1_lib↗2022-05-14

▶

OSV

CVE-2010-3864: Multiple race conditions in ssl/t1_lib↗2010-11-17

▶

📋Vendor Advisories

VMware

Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX↗2011-02-10

▶

BSD

FreeBSD-SA-10:10.openssl: OpenSSL multiple vulnerabilities↗2010-11-29

▶

Ubuntu

OpenSSL vulnerability↗2010-11-18

▶

Red Hat

OpenSSL TLS extension parsing race condition↗2010-11-16

▶

Debian

CVE-2010-3864: openssl - Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0...↗2010

▶

💬Community

Bugzilla

CVE-2010-3864 OpenSSL TLS extension parsing race condition [fedora-all]↗2010-11-16

▶

Bugzilla

CVE-2010-3864 OpenSSL TLS extension parsing race condition↗2010-11-03

▶